SHA256
1
0
forked from pool/haproxy
haproxy/0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch

53 lines
1.9 KiB
Diff

From 8e05ac2044c6523c867ceaaae1f10486370eec89 Mon Sep 17 00:00:00 2001
From: Thierry FOURNIER <tfournier@haproxy.com>
Date: Mon, 16 Mar 2015 11:14:41 +0100
Subject: [PATCH 6/9] BUG/MAJOR: http: don't read past buffer's end in
http_replace_value
The function http_replace_value use bad variable to detect the end
of the input string.
Regression introduced by the patch "MEDIUM: regex: Remove null
terminated strings." (c9c2daf2)
We need to backport this patch int the 1.5 stable branch.
WT: there is no possibility to overwrite existing data as we only read
past the end of the request buffer, to copy into the trash. The copy
is bounded by buffer_replace2(), just like the replacement performed
by exp_replace(). However if a buffer happens to contain non-zero data
up to the next unmapped page boundary, there's a theorical risk of
crashing the process despite this not being reproducible in tests.
The risk is low because "http-request replace-value" did not work due
to this bug so that probably means it's not used yet.
(cherry picked from commit 534101658d6e19aeb598bf7833a8ce167498c4ed)
---
src/proto_http.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 705f3b4..f53b5e2 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3206,7 +3206,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha
/* look for delim. */
p_delim = p;
- while (p_delim < p + len && *p_delim != delim)
+ while (p_delim < val + len && *p_delim != delim)
p_delim++;
if (regex_exec_match2(re, p, p_delim-p, MAX_MATCH, pmatch)) {
@@ -3230,7 +3230,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha
return -1;
/* end of the replacements. */
- if (p_delim >= p + len)
+ if (p_delim >= val + len)
break;
/* Next part. */
--
2.1.4